A government audit reveals that the Census Bureau does not do a good enough job protecting the confidentiality of its data - a stinging conclusion, considering the bureau collects personal information about every individual residing in the United States.

In the report made public Feb. 20 - entitled Information Security: Actions Needed by Census Bureau to Address Weaknesses - the Government Accountability Office says the bureau has not effectively implemented appropriate information security controls to protect its information systems. Auditors say many of the deficiencies at the Commerce Department agency relate to access controls, the security rules and procedures used to regulate who or what can access the bureau's systems.

"Without adequate controls over access to its systems, the bureau cannot be sure that its information and systems are protected from intrusion," GAO's Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the 51-page report.

Framework Fails to Fully Identify Risks

Wilshusen and Barkakati said an underlying reason for these weaknesses is that the Census Bureau has not fully implemented a comprehensive information security program to ensure that controls are effectively established and maintained. Although the Census Bureau had begun implementing a new risk management framework with a goal of better management visibility of information security risks, the auditors said, the framework didn't fully document identified information security risks.

In addition, the bureau failed to update certain security management program policies, adequately enforce user requirements for security and awareness training and implement policies and procedures for incident response.

"Until the bureau implements a complete and comprehensive security program," the auditors wrote, "it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption or loss."

GAO offered 13 recommendations to address the problems, and Acting Commerce Secretary Rebecca Blank responded that, for the most part, it agreed with GAO's conclusions, adding the agency is forming a team to carefully review each finding and prepare a specific course of action to address them.

Bureau Questions Parts of Audit

Still, the bureau raised concerns with respect to several of GAO's finding, including one in which the auditor found the bureau's continuous monitoring program failed to include mechanisms for near real-time continuous monitoring. The bureau contended that the frequency at which it performs scans is based on the identified risk of the control or system being assessed, and that monthly scans were consistent with the risk level it had identified for census data.

But GAO said the bureau's response is inconsistent with the risk-based continuous monitoring plans providing for weekly scans that the Census Bureau provided auditors. In addition, the auditors said, National Institute of Standards and Technology guidelines note the importance of near real-time data as an input to an agency's security decision-making process, and the bureau's risk management framework documentation noted that near real-time risk monitoring is a long-term goal for the bureau. GAO said it has clarified its finding to better reflect the bureau's continuous monitoring plans.

About the Author

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;